sync: redpanda v5.10.2

Author: chrisseto

Taskfile.yaml

@@ -170,7 +170,7 @@ tasks:
   sync:redpanda:chart:
     - task: sync:chart
       vars:
-        REF: charts/redpanda/v5.10.1
+        REF: charts/redpanda/v5.10.2
         LOCAL_DIR: charts/redpanda
         REMOTE_DIR: charts/redpanda
 

charts/redpanda/CHANGELOG.md

@@ -5,6 +5,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
 
+## v5.10.2 - 2025-05-01
+### Changed
+* `serviceAccount.create` now defaults to `true`.
+
+  The previous behavior resulted in using the `default` service account and
+  extending it with all bindings generated from the chart. Such behavior is
+  unlikely to be desired.
+* `rpk debug bundle --namespace $NAMESPACE` now works by default.
+
+  The chart now creates a set of `Roles` and `RoleBindings` that satisfy the
+  requirements of running `rpk debug bundle` from any redpanda Pod. These
+  permissions may be disabled by specifying `rbac.rpkDebugBundle=false`.
+
+  Additionally, the redpanda container now always has a Kubernetes
+  ServiceAccount token mounted to it to ensure `rpk debug bundle` can be
+  executed successfully.
+### Removed
+* Removed regex validation of all image tags.
+### Fixed
+* Fixed rack awareness by mounting a service account token to the initcontainer when rack awareness is enabled.
+* Broken `Issuer`s and `Certificate`s are no longer needlessly generated when `tls.<cert>.issuerRef` is provided.
+* The `schema_registry_client` and `pandaproxy_client` stanzas of `redpanda.yaml`
+  now respect `listeners.kafka.tls.trustStore`, when provided.
+  See also [helm-chart 1573 issue](https://github.com/redpanda-data/helm-charts/issues/1573).
+
+
 ## v5.10.1 - 2025-04-08
 ### Changed
 * bumped `appVersion` to [v25.1.1](https://github.com/redpanda-data/redpanda/releases/tag/v25.1.1).

charts/redpanda/Chart.yaml

@@ -23,11 +23,11 @@ type: application
 # The chart version and the app version are not the same and will not track
 # together. The chart version is a semver representation of changes to this
 # chart.
-version: 5.10.1
+version: 5.10.2
 
 # The app version is the default version of Redpanda to install.
 # ** NOTE for maintainers: please ensure the artifacthub image annotation is updated before merging
-appVersion: v25.1.1
+appVersion: v25.1.2
 
 # kubeVersion must be suffixed with "-0" to be able to match cloud providers
 # kubernetes versions like "v1.23.8-gke.1900". Their suffix is interpreted as a
@@ -56,6 +56,6 @@ annotations:
       url: https://helm.sh/docs/intro/install/
   artifacthub.io/images: |
     - name: redpanda
-      image: docker.redpanda.com/redpandadata/redpanda:v25.1.1
+      image: docker.redpanda.com/redpandadata/redpanda:v25.1.2
     - name: busybox
       image: busybox:latest

charts/redpanda/README.md

@@ -3,7 +3,7 @@
 description: Find the default values and descriptions of settings in the Redpanda Helm chart.
 ---
 
-![Version: 5.10.1](https://img.shields.io/badge/Version-5.10.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v25.1.1](https://img.shields.io/badge/AppVersion-v25.1.1-informational?style=flat-square)
+![Version: 5.10.2](https://img.shields.io/badge/Version-5.10.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v25.1.2](https://img.shields.io/badge/AppVersion-v25.1.2-informational?style=flat-square)
 
 This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values.
 
@@ -322,15 +322,9 @@ Redpanda Docker image settings.
 **Default:**
 
 ```
-{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""}
+{"repository":"docker.redpanda.com/redpandadata/redpanda","tag":""}
 ```
 
-### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy)
-
-The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`.
-
-**Default:** `"IfNotPresent"`
-
 ### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository)
 
 Docker repository from which to pull the Redpanda Docker image.
@@ -604,7 +598,7 @@ Role Based Access Control.
 **Default:**
 
 ```
-{"annotations":{},"enabled":false}
+{"annotations":{},"enabled":true,"rpkDebugBundle":true}
 ```
 
 ### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations)
@@ -615,9 +609,15 @@ Annotations to add to the `rbac` resources.
 
 ### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled)
 
-Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
+Controls whether or not Roles, ClusterRoles, and bindings thereof will be generated. Disabling this very likely result in a non-functional deployment. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
 
-**Default:** `false`
+**Default:** `true`
+
+### [rbac.rpkDebugBundle](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.rpkDebugBundle)
+
+Controls whether or not a Role and RoleBinding will be generated for the permissions required by `rpk debug bundle`. Disabling will not affect the redpanda deployment itself but a bundle is required to engage with our support.
+
+**Default:** `true`
 
 ### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources)
 
@@ -705,7 +705,7 @@ Service account management.
 **Default:**
 
 ```
-{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""}
+{"annotations":{},"create":true,"name":""}
 ```
 
 ### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations)
@@ -714,17 +714,11 @@ Annotations to add to the service account.
 
 **Default:** `{}`
 
-### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.automountServiceAccountToken)
-
-Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
-
-**Default:** `false`
-
 ### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create)
 
 Specifies whether a service account should be created.
 
-**Default:** `false`
+**Default:** `true`
 
 ### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name)
 
@@ -997,7 +991,7 @@ DEPRECATED: Please use statefulset.sideCars.brokerDecommissioner and statefulset
 **Default:**
 
 ```
-{"createRBAC":true,"enabled":false,"healthProbeAddress":":8085","image":{"repository":"docker.redpanda.com/redpandadata/redpanda-operator","tag":"v2.3.8-24.3.6"},"metricsAddress":":9082","pprofAddress":":9083","resources":{},"run":["all"],"securityContext":{}}
+{"createRBAC":true,"enabled":false,"healthProbeAddress":":8085","image":{"repository":"docker.redpanda.com/redpandadata/redpanda-operator","tag":"v2.4.1"},"metricsAddress":":9082","pprofAddress":":9083","resources":{},"run":["all"],"securityContext":{}}
 ```
 
 ### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources)
@@ -1020,7 +1014,7 @@ To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limi
 
 ### [statefulset.sideCars.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.image.tag)
 
-**Default:** `"v2.3.8-24.3.6"`
+**Default:** `"v2.4.1"`
 
 ### [statefulset.sideCars.pvcUnbinder.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.pvcUnbinder.enabled)
 

charts/redpanda/files/decommission.ClusterRole.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: decommission
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - patch

charts/redpanda/files/decommission.Role.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: decommission
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch

charts/redpanda/files/pvcunbinder.ClusterRole.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pvcunbinder
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumes
+    verbs:
+      - get
+      - list
+      - patch
+      - watch

charts/redpanda/files/pvcunbinder.Role.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pvcunbinder
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims
+      - pods
+    verbs:
+      - delete
+      - get
+      - list
+      - watch

charts/redpanda/files/rack-awareness.ClusterRole.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rack-awareness
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get

charts/redpanda/files/rpk-debug-bundle.Role.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rpk-debug-bundle
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - events
+      - limitranges
+      - persistentvolumeclaims
+      - pods
+      - pods/log
+      - replicationcontrollers
+      - resourcequotas
+      - serviceaccounts
+      - services
+    verbs:
+      - get
+      - list